Archive for August, 2009

Senator Jay Rockefeller of West Virginia has introduced legislation that would give the President the authority to declare a “cybersecurity emergency” and take control of certain private, non-governmental networks during such an emergency. The bill is full of vague language and describes powers that can be exercised without any judicial or other review, if necessary for U.S. “national defense and security.”

There are all kinds of problems here, as the Declan McCullagh report enumerates. First, the government has shown itself not be be very good at cybersecurity. For another, the Obama administration invoked national security as the reason not to share a draft intellectual property treaty with the public. (See Say It Ain’t So, Barak, March 14, 2009.) By that standard, the government could take over the Internet on a whim or a scare.

I was far from the only person perturbed by this policy. It was rational in its way — they can search your suitcase, so why not your laptop? — and yet it was disturbing. Only in recent years have people routinely walked around with their entire life histories in readable format. Why should the government not be required to show probable cause before reading your love letters and personal photos from a decade ago? And then there was the fact that laptops of doctors and lawyers have lots of information about other people on them. Aren’t they entitled to some protection from the curiosity of border guards?

Now Janet Napolitano has issued new guidelines that tighten things up a bit. Here is the CNN story; here is the DHS press release, and here are the rules themselves (pdf, 10 pages).

In essence, DHS has put limits on how long the laptops can be held (5 days) and has guaranteed the person whose laptop is being inspected the right to be in the room at the time agents are inspecting the laptop (though not necessarily the privilege of watching what they are doing). ¬†But left in place is the basic right of DHS to look at any laptop it wishes without having to provide any reason for doing so.

The release says only a tiny fraction of laptops have been inspected while the earlier policy was in place, which is nice, but no guarantee that an individual agent may not adopt a different standard.

Whole disk encryption, which is increasingly standard for business laptops, should be standard for private citizens taking their laptops on international trips. The policy document addresses this possibility too:

Officers may sometimes have technical difficulties in conducting the search of electronic devices such that technical assistance is needed to continue the border search. Also, in some cases Offtcers may encounter information in electronic devices that requires technical assistance to determine the meaning of such information, such as, for example, information that is in a foreign language andlor encrypted (including information that is password protected or otherwise not readily reviewable). In such situations, Officers may transmit electronic devices or copies of information contained therein to seek technical assistance from other federal agencies. Officers may seek such assistance with or without individualized suspicion.

So make your encryption key long enough so it can’t be cracked in five days. (My understanding of US court precedents is that the government can’t compel you to disclose your encryption key — though it may be able to obtain a warrant to search your home and your leather appointment book for the place you wrote it down.)

Altogether this new policy seems to me to leave too much to the discretion of the border officials. I recognize that we’d love to catch terrorists carrying blueprints of their targets, but I suspect that some of those searches are for bad pictures. If the number of laptops they want to search is so small, it should not be a big problem for them to get judicial approval before searching them.

Harvard Magazine has a general-interest story about the erosion of privacy, featuring various Harvard colleagues and myself. It was fun to work with Jonathan Shaw, who wrote the article, but the most interesting part of working with the Magazine was the set-up for the photo shoot!

That was the advice of a friend who forwarded to me a recommendation he had received from Amazon. These recommendation systems, drawing on vast databases of information about individuals’ purchase histories, are usually pretty reasonable in their suggestions. I would love to understand this one, though.

Dear Amazon.com Customer,

We’ve noticed that customers who have purchased or rated¬†Blown to Bits: Your Life, Liberty, and Happiness After the Digital Explosion by Hal Abelson have also purchased¬†Vicious Verses and Reanimated Rhymes: Zany Zombie Poetry for the Undead Head by W. Bill Czolgosz. For this reason, you might like to know that¬†Vicious Verses and Reanimated Rhymes: Zany Zombie Poetry for the Undead Head is now available.¬† You can order yours for just $12.99 by following the link below.

In New York, some clown started a blog called “Skanks in NYC” for the sole purpose of heaping verbal abuse on, well, whatever people he thought deserved that appellation. The blog was hosted by Blogger.com, a Google service. The site apparently was active for only a day, during which the clown posted five items, one of them referring to a model named Liskula Cohen as a “ho” and a few other things.

Ms Cohen wanted to know who was speaking ill of her, and asked Blogger to disclose that information so she could pursue a defamation suit. I pick up the story from CNN:

On Monday, New York Supreme Court Judge Joan Madden ruled that Google must hand over to Cohen any identifying information it possesses about the blog’s creator. ‚Ä¶¬†”The protection of the right to communicate anonymously must be balanced against the need to assure that those persons who choose to abuse the opportunities presented by this medium can be made to answer for such transgressions,” the judge said ‚Ä¶.

And Blogger did, under the court order, turn over to Cohen the IP and email addresses of the blogger. A Google attorney said the company was sensitive to both privacy and to cyberbullying, but a court order trumps any concerns of the company.

Now it turns out that the blogger clown is one Rosemary Port, a Fashion Institution of Technology student who, according to the Daily News, had been involved in some sort of personal quarrel with Cohen. Cohen has decided not to pursue the defamation suit. Port, however, says she will sue Google for $15 million for invasion of her privacy.

“Before her suit, there were probably two hits on my Web site: One from me looking at it, and one from her looking at it,” Port said. “That was before it became a spectacle. I feel my right to privacy has been violated.”

That’s an odd transition — she put it up on the Web where anybody in the world could see it. But only a couple of people did, so she claims a privacy invasion when so much attention got focused on it. Still, she didn’t think she was going to be unmasked. Port’s lawyer makes a knee-jerk appeal to the pseudonymously published Federalist Papers, which lobbied for adoption of the U.S. Constitution.

I doubt Port has a case. Google’s Privacy Policy states, “Google only shares personal information with other companies or individuals outside of Google in the following limited circumstances: ‚Ä¶¬†We have a good faith belief that access, use, preservation or disclosure of such information is reasonably necessary to (a) satisfy any applicable law, regulation, legal process or enforceable governmental request ‚Ä¶.” Sounds like that covers it. Anyone who’s signed up for a Gmail account agreed to that. (Actually, just doing a Google search causes you to agree to these terms implicitly, but that’s another matter.)

Bloggers (and blog commenters) beware. You can use anonymity tools, such as Tor, if you are really worried about being discovered, but if you do something unlawful behind the veil of an anonymous blog, your cover may be blown.

(It’s a separate question whether calling someone a “ho” or a “skank” actually constitutes defamation. I have no opinion on that one.)

The state of Illinois has enacted a law prohibiting anyone classified as a sex offender from using any social networking site. The definition of the latter is quite complicated — it certainly covers more than Facebook and Myspace. Blogs may qualify as well. The language is hard to parse.

I understand the impulse, but this looks like another blunt instrument designed in a moment of panic, like the Child Online Protection Act we discuss in Chapter 7 of Blown to Bits.¬†¬†Andrew Moshirniaargues that it’s probably unconstitutional as other such laws have proved to be — it simply restricts too much speech that doesn’t need restriction in order to get at the subset that is actually objectionable. Moshirnia points out two other minor problems: it won’t work (it’s too easy to create a fake identity online) and sex offender registries are overbroad (read my other book, Excellence Without a Soul, if you’d like to see how one Harvard undergraduate earned his status on the list). Then there’s the fact, abundantly documented in the Internet Safety Technical Task Force report, that the Internet is not the enabler of sex crimes that politicians love to pretend it is.

Go after the crimes, not the tools. The fact that some people can use their liberty for evil ends is no reason to restrict anyone’s liberty pointlessly.

More than a year ago, the FCC ordered Comcast to stop using its tactics for slowing peer-to-peer movie downloads. Customers hogging bandwidth by using BitTorrent, for example, would suddenly find their bit delivery slowed to a standstill. Comcast was inserting forged packets in the communication between the customer and the download site–packets essentially saying “something’s wrong, please start over.” Customers had no way of knowing what the problem was, but naturally assumed that it was either with them or with the site at the other edge of the network, not with the ISP they had hired to deliver bit packets to them.

The FCC ordered Comcast to cut it out, noting the anti-competitive implications of Comcast’s techniques–customers unable to get their movies from where they were trying to get them might buy them from Comcast instead. The problem to which the FCC responded is exactly the same as the 19th century problem of telegraphy, when Western Union cut an exclusive deal with one of the “wire services” so that the information carrier would restrict the content delivered to the customer.

Comcast complied with the FCC order, but expressed skepticism that the FCC really had the authority it claimed. The other shoe has finally dropped: Comcast is taking the FCC to court for exceeding its regulatory authority. Arstechnica has a good write-up: FCC enforcing imaginary laws in P2P ruling, says Comcast.

However the court finds (and it will probably take some time finding anything), Congress should act. There seems a reasonable likelihood that FCC authority, vested in it long before the Internet was invented, can’t be stretched to give it veto power over deep packet inspection. Obama ran on a platform favoring Net Neutrality; time for him to get Congress to work.

The Electronic Frontier Foundation has a remarkable account of a clever use of the Digital Millennium Copyright Ac by the Burning Man Organization. That’s the radical artistic celebration and community-gathering that happens every year in Nevada. BMO includes in the terms and conditions to which you agree when you buy a ticket that BMO will own any photos or videos of the events that are used in a way BMO doesn’t like. Once BMO owns the copyright, it can, of course, demand that they be taken down from wherever you’ve posted them. Ingenious! Same technique some doctors are using to prevent patients from posting unflattering reviews — sign over to the doctors the copyright on anything you say about them, and they figure they can force the doctor-review web sites to remove the material, which isn’t yours to post.

The DMCA notice and takedown provisions have created a funny-farm world, in which ordinary people using the Web to express themselves haven’t a prayer against the lawyered-up pros — even the pros of radical artistic organizations.

That is thee title of a superb column by Pamela Samuelson explaining some (but only some) of the worries about the proposed settlement of copyright infringement claims against Google for scanning copyrighted works. She explains the perverse incentives to both parties to this litigation. In a word, each realized that they could become literary monopolists if they played their cards right with each other.

That is exactly the reason why the federal judiciary gets involved in settlements that private parties have negotiated with each other in class action cases. There is too much risk that the parties will find a way to divide the pie between themselves in a way that does not serve the public well.